trouble configuring pam using pam_ldap and pam_mount
Heiko Harders
harders at fmf.nl
Sun Jul 29 14:23:02 UTC 2007
Some hours off trial and error later I still don't have it working...
but I can't understand why. The configurations I tried should (as seen
from my logic) work, but they don't. A few examples of configurations I
tried are listed below (by the way, I use Ubuntu 7.04 'Feisty Fawn'
clients, I didn't mention it before, but I thought it might be important):
## common-account (I changed this a bit according to an article I found,
written by Martin Schwenke):
account requisite pam_unix.so
account sufficient pam_localuser.so
account required pam_ldap.so
## common-auth:
# first authenticate for pam_mount, this is the only way (as far as I
know) to
# prefent multiple password requests (as it seems 'use_first_pass' doesn't
# work for pam_mount.so)
auth required pam_mount.so
auth sufficient pam_ldap.so use_first_pass
auth required pam_unix.so nulluk_secure use_first_pass
Next are the different versions of 'common-session' I tried.
## common-session [VERSION 1]:
session optional pam_foreground.so
session requisite pam_unix.so
# the following line jumps over the mounting
# but off course... it does for all users... (as expected)
session [default=1] pam_localuser.so
session required pam_mount.so
session required pam_ldap.so
## common-session [VERSION 2]:
session optional pam_foreground.so
session requisite pam_unix.so
# the following line doens't seem to have any effect
# mounting is executed for local users and users in the ldap server
# I would have expected pam would terminate after this line
# when a local user logs on (because of the 'sufficient' control value)
session sufficient pam_localuser.so
session required pam_mount.so
session required pam_ldap.so
## common-session [VERSION 3]:
session optional pam_foreground.so
session requisite pam_unix.so
# the following line gives 'su: Module is unknown' after
# the request for the password
session [user_unknown=ignore default=done] pam_localuser.so
session required pam_mount.so
session required pam_ldap.so
## common-session [VERSION 4]:
session optional pam_foreground.so
session requisite pam_unix.so
# the following line doesn't mount anything, not for
# local users and not for ldap users
# (in either case 'ok' or 'ignore')
session [user_unknown=ok/ignore default=2] pam_localuser.so
session required pam_mount.so
session required pam_ldap.so
## common-session [VERSION 5]:
session optional pam_foreground.so
# the following line does also mounting for local users
# (I also found this in the article by Martin Schwenke and adapted it a bit)
session [success=ok new_authtok_reqd=ok ignore=2 \
authinfo_unavail=ignore user_unknown=ignore default=bad]
pam_ldap.so \
ignore_unknown_user
session required pam_mount.so
session required pam_ldap.so
session requisite pam_unix.so
So still no success. As I said before, loging on works for local users
and for users in the LDAP. Mounting also works for the users in the
LDAP, but I would like to prefent the execution of the
pam_mount for local users (because these users don't need mounting and
if there is an user in
the LDAP with the same username/password combo, his/her homedir is
mounted on top of the local
homedir. I would like to make sure local users are more important).
Some other details that might be important: for testing the
configurations I use 'su' (its the fastest way), but quite a few times I
also tried login in with gdm (Gnome). There seems to be no difference,
and in my
view that seems logical, because I only edit the /etc/pam.d/common-*
files (I don't edit any of the other files in that directory).
Is there anybody who could explain why the listed examples don't work?
And what about my approach? Jose Plans already suggested using 'autofs',
but it seems to me that using pam_mount would be a cleaner approach.
Anyone any ideas on this? Is my approach perhaps outdated?
Greetings,
Heiko
Heiko Harders wrote:
> Hi,
>
> I'm trying to configure PAM for my needs all day now, but I can't get
> it right.
> I have an LDAP server which contains the user login information for my
> users. This server also serves the home directory's using NFS.
>
> On my clients I use pam_ldap to authenticate and I use pam_mount to
> mount the home directorys whenever a users logs on. This works fine.
> The problem is, whenever a local user on the client logs on, pam_mount
> trys to mount a home directory from the server. In my pam
> configuration I would like to specify that pam_mount shouldn't be
> executed whenever a local user logs on. But I can't figure out how. I
> use the default files in my '/etc/pam.d/' directory and I've modified
> the 'common-*' files in the following way:
>
> common-account:
> account sufficient pam_ldap.so
> account required pam_unix.so
>
> common-auth:
> auth required pam_mount.so
> auth sufficient pam_ldap.so use_first_pass
> auth sufficient pam_unix.so nullok_secure use_first_pass
>
> common-password:
> password sufficient pam_ldap.so
> password required pam_unix.so nullok obscure min=4 max=8 md5
>
> common-session:
> session optional pam_foreground.so
> ## I think I should add something overhere
> session required pam_mount.so
> session sufficient pam_ldap.so
> session required pam_unix.so
>
> I've tried to add a line in the common-session file, something like this:
> session [user_unknown=2 default=ignore] pam_ldap.so
> Hoping this would skip the next 2 lines if the user wasn't found on
> the ldap server. But this doens't seem to work. The following line did
> work, but doens't do what I want:
> session [default=2] pam_ldap.so
> In this case ALL users skip the next two lines.
>
> Has anyone a clue what I'm doing wrong? Is there something wrong in my
> syntax? Or is the complexe approach wrong?
>
> Greetings,
> Heiko
>
>
>
>
>
>
> _______________________________________________
> Pam-list mailing list
> Pam-list at redhat.com
> https://www.redhat.com/mailman/listinfo/pam-list
More information about the Pam-list
mailing list